From: Eric Davis <edavis@littlestreamsoftware.com>
Date: Sun, 14 Jun 2009 16:22:23 +0000 (+0000)
Subject: Added workaround for a Ruby BigDecimal bug, CVE-2009-1904. (#3475)
X-Git-Tag: 0.9.0~424
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=2221d68c4d2c208f5aebc511988cc080a3b74cdf;p=redmine.git

Added workaround for a Ruby BigDecimal bug, CVE-2009-1904. (#3475)

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2790 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/config/initializers/bigdecimal-segfault-fix.rb b/config/initializers/bigdecimal-segfault-fix.rb
new file mode 100644
index 000000000..8fb3bf9ee
--- /dev/null
+++ b/config/initializers/bigdecimal-segfault-fix.rb
@@ -0,0 +1,30 @@
+# Copyright (c) 2009 Michael Koziarski <michael@koziarski.com>
+# 
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+require 'bigdecimal'
+
+alias BigDecimalUnsafe BigDecimal
+
+
+# This fixes CVE-2009-1904 however it removes legitimate functionality that your
+# application may depend on.  You are *strongly* advised to upgrade your ruby
+# rather than relying on this fix for an extended period of time.
+
+def BigDecimal(initial, digits=0)
+  if initial.size > 255 || initial =~ /e/i
+    raise "Invalid big Decimal Value"
+  end
+  BigDecimalUnsafe(initial, digits)
+end
+